Hi,
I implemented a RDS with 2 Windows 2012 R2 Servers:
- RD WA, RD GW and RD CB roles on the RDS-GW Server (x.x.x.11)
- RD SH on RDS-SH Server (x.x.x.12)
The external access work very well. When I connect via RD Client (ponting to RD Gateway) with a user test account, the RD GW verify CAP policy, then authenticate the user then verify the RAP policy and finaly the session open on RDS-SH.
For security reasons I want that only users account can externally log on the Session Host Server (RDS-SH) via RD Gateway but not the admin accounts.
So in RD Gateway Manager I configured a Group User in CAP policy with the account users I want to permit access to RD Gateway. On RAP policy I also add the same Group User and create a “RD Gateway-managed group” with the RDS-SH server on it. Now when using Windows RDP Client to access RD Gateway, in the first authentication (on RDS-GW) only the users of Group Users will authenticate with success. In the second authentication (on RDS-SH) the users in Group Users of RAP police will authenticate successfully but also the admins account even those admin accounts that are not included on the Group Users of the RAP policy! :(
How can I disallow the admins accounts to log on the RD-SH server through Remote Desktop Gateway without using the “Allow logon through Remote Desktop Services”or “Deny log on through Remote Desktop Services” policies on the RDS-SH server?
Admin accounts need to manage the RDS-SH server via internal RDP, so I can’t use the “Allow logon through Remote Desktop Services” and “Deny log on through Remote Desktop Services” policies.
How can I achive this?